Fixes

OPENAM-19427: KBA question are not falling back to the default language when French is present in the restart password flow

OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing /

OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node

OPENAM-19380: Social Google node does not work if placed after an input collector in a tree

OPENAM-19359: Social authentication not working on Subrealms

OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception

OPENAM-19290: In a cluster, changing AM debug level on local AM2 to remote AM1 does not take effect until the remote AM1 is restarted

OPENAM-19281: OIDC dynamic client registration cannot take \n in the client_description

OPENAM-19266: Cannot add Page Headers or Page Descriptions to page nodes in tree editor

OPENAM-19220: WebAuthN/Fido - Cannot authenticate with recovery codes on Windows

OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade

OPENAM-19196: JavaScript origins in the OAuth2 Client need a restart to apply the changes

OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters

OPENAM-19162: REST API definition inaccurate for endpoint /realm-config/saml

OPENAM-19123: AM validates duplicate registration tokens

OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set

OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions

OPENAM-19086: rest-sts endpoint is not included when CORS is enabled

OPENAM-19083: Creating a client-based access and refresh token breaks subsequent use of Session Quotas

OPENAM-19042: When using Apple SSO, the Social Identity Provider Handler node ignores the user info returned

OPENAM-18996: Issues with trees and navigating quickly between Social Login providers

OPENAM-18990: Non-compliant OAuth 2.0 error response generated

OPENAM-18953: Insufficient logging when OAuth 2.0 token request fails due to invalid client secret

OPENAM-18952: KBA questions are not falling back to the default language when French is present

OPENAM-18928: Client credential OAuth 2.0 request results in searches for OAuth 2.0 client against the Identity Store

OPENAM-18921: Double slashes in oauth 2.0 claim names are handled incorrectly

OPENAM-18891: JWT Profile Oauth 2.0 grant returns invalid_grant

OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt

OPENAM-18877: Creating SAML providers with entity ids containing the plus (+) symbol results in errors listing and creating new providers

OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared

OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null

OPENAM-18775: LdapDecisionNode throws NullPointerException on shared IDM Repository DataStore when Password change policy triggered

OPENAM-18756: Entering correct OTP after an incorrect OTP fails authentication

OPENAM-18754: User profile success URL ignored when authenticating with trees

OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures

OPENAM-18705: Problem with Page Node using node relying on secureState

OPENAM-18701: DN cache doesn’t get deleted in some cases

OPENAM-18684: Redirect to authorize endpoint fails for 2nd OIDC App for Federated Users with multiple OIDC Clients

OPENAM-18679: OATH Registration node doesn’t work when placed inside a Page node

OPENAM-18663: AM should check new realm with rest end-point names by ignoring case

OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted

OPENAM-18655: Deleting OAuth2 Client provides unneeded Notification error message in IdRepo

OPENAM-18644: IdRepo cache can not be disabled anymore

OPENAM-18640: REST-STS uses the old path to reach the users endpoint

OPENAM-18623: Issue with jwk_uri endpoint called in parallel

OPENAM-18610: RealmOAuth2ProviderSettings for getJwks permits an empty set

OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication

OPENAM-18586: No debug message when AM can’t read the encrypted_base64 folder after upgrade

OPENAM-18573: URLPatternMatcher or RedirectURLValidator fails when query string contains "%20"

OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL

OPENAM-18533: Distinguish between standard OIDC and JAR OIDC request parameters

OPENAM-18524: Client assertion JWT generated for private_key_jwt OAuth 2.0 client authentication does not provide a "kid" header - can be rejected by external OAuth 2.0providers

OPENAM-18523: NullPointerException when Web Agent group is changed

OPENAM-18487: Trust anchor check fails with Yubikey

OPENAM-18460: max_age parameter is overwritten

OPENAM-18459: IdTokenInfo endpoint behavior has changed and fails when using client_id in POST

OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP

OPENAM-18443: Transactional authentication is disabled on new installs

OPENAM-18436: UMA pending requests are stored differently depending on sub claim uniqueness mode

OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore

OPENAM-18432: Remove the internal idm-delegation grant type from the well known info

OPENAM-18422: Email Template node creates threads without terminating them

OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth

OPENAM-18384: Email Suspend Node clears the secure state

OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name

OPENAM-18359: Choice Collector Node not present following upgrade

OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server

OPENAM-18306: OAuth 2.0 Authorization Code Grant Fails when including scope parameter at access_token endpoint

OPENAM-18297: Outbound calls to jwk_uri endpoint do not support proxy settings

OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD

OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically

OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication

OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session

OPENAM-18227: Upgrade from 6.0.x / 6.5.x fails with Unsupported node type PersistentCookieDecisionNode

OPENAM-18212: Check for user/agent profile condition during login can be refined further

OPENAM-18207: Global Service cache is not updated by changes from other servers in a site

OPENAM-18205: Excessive logging occurs when agent profile is not found

OPENAM-18180: No TransactionId present for AuthTreeExecutor

OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout

OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST

OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings

OPENAM-18149: Wrong log file is used for SAML2 extensions log message

OPENAM-18141: AM no longer uses global SAML configuration

OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops

OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm

OPENAM-18121: Complex authentication trees load slowly

OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter

OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amAdmin

OPENAM-18118: OAuth 2.0 - AM does not implement 'device authorization grant' as specified in RFC 8628

OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server

OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes

OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM

OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exists

OPENAM-18065: Logback.jsp cannot be used to set log levels for loggers in custom code

OPENAM-18062: SPACSUtils withholds exception and does not log error

OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined

OPENAM-18043: Device Match module not setting correct AuthLevel

OPENAM-18030: Message node shows inconsistent behavior regarding the default locale

OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes

OPENAM-18009: HTTP error code 500 when authenticating with authIndexType service without authIndexValue

OPENAM-18006: Persistent search for identity store does not recover

OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees

OPENAM-17993: org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation

OPENAM-17979: Backchannel authentication auth_req_id can be used to obtain multiple access tokens

OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists

OPENAM-17962: LDAP Decision Node does not put updated password in transient state

OPENAM-17954: Accept-Language header locale ignored on OAuth 2.0 Consent page

OPENAM-17935: Missing return statement in the happy flow of the kerberos node

OPENAM-17923: Retry Limit Decision should not involve user when Save Retry Limit to User is disabled

OPENAM-17916: When no session exists logout page redirects to login

OPENAM-17912: Account lockout count is not reset correctly

OPENAM-17904: JSON Audit Log Location not working when modifying location to only include %SERVER_URI% variable

OPENAM-17896: ForgottenPassword Reset on multiple clusters not working when reset link is clicked

OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does not work after upgrade

OPENAM-17830: Error messages are logged when the Push Notification Service is absent

OPENAM-17828: Apostrophe in username breaks Push/OATH device registration

OPENAM-17826: introspect endpoint returns a static value for expires_in when using client-based tokens

OPENAM-17814: Auth Tree step-up fails if username case does not match

OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname

OPENAM-17783: Language tag limited to 5 characters instead of 8

OPENAM-17782: Policy evaluation fails with 400 error when user does not exist

OPENAM-17760: PEM support incorrectly decodes some EC private keys

OPENAM-17718: OAuth 2.0 introspection endpoint does not accept Accept header with extra accept extension param (like weight q=0.8) or charset

OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost

OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile

OPENAM-17683: Selfservice user registration auto login fails for a sub-realm

OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed

OPENAM-17677: oauth2/device/code endpoint does not support locale parameter

OPENAM-17663: Improve the error response code for "Failed to revoke access token"

OPENAM-17610: OTP Email Sender node does not let you specify connect timeout and IO/read timeout for underlying transport

OPENAM-17593: Deadlock when admin token is invalid and when config data is cleared

OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session

OPENAM-17590: OIDC login hint cookie broken since 7.0

OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret

OPENAM-17548: Can’t go back to login page after invoking Social Authentication Nodes

OPENAM-17521: Insufficient error logging to track down Multivalued RDNs not supported issue

OPENAM-17515: Sub attribute in access token can be in wrong case

OPENAM-17493: OAuth 2.0 node does not support external proxy authentication (user/pass)

OPENAM-17440: OAuth 2.0 service provider does not error if IAT attribute is mandatory but not issued

OPENAM-17426: No validation for attribute collector node

OPENAM-17405: Token introspection response not spec compliant

OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config

OPENAM-17320: Revisit prompt=login behavior change that keeps existing session

OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails

OPENAM-17265: Amster updates incorrect authorized_keys file

OPENAM-17040: UMA policy creation does not work with shared repo

OPENAM-16988: accessedEndpoint including port causes verify Assertion Consumer URL to fail

OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work

OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters

OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator

OPENAM-16642: Server id creation can fail when id is greater than 100

OPENAM-16490: OWASP ESAPI broken

OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong

OPENAM-16262: Javadocs for IdUtils needs updating

OPENAM-16216: Get Session Data node improvements

OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable

OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile

OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in

OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration

OPENAM-13855: CTS creates too many connections to DS

OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"

OPENAM-12969: UMA Resource deletion results in a 500 error unless another resource has been created within the same resource set

OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity